Tech News and Miscellany

I've used Firefox for the last two decades or so. Not because of any specific privacy concerns or features, but because one day I wanted an alternative to IE and Firefox was the "other" browser at the time, so I got it and then never stopped using it.

I should probably look into these privacy thingamajiggers in this browser.
In your case, the FBI and NSA have long ago given up reading along over your shoulder.
 
I wonder what Opera is up to these days? It used to be my preferred browser like 15 years ago...

*checks*

Oh god... why is it all RGB?
 
I wonder what Opera is up to these days? It used to be my preferred browser like 15 years ago...

*checks*

Oh god... why is it all RGB?
I was helping one of the crafty ladies get some nasty extensions off her browser that popped up adds over websites she was visiting.

She was using Opera. It took me a full 5 minutes just to figure out what browser it was. My brain just seized up.
 
I wonder what Opera is up to these days? It used to be my preferred browser like 15 years ago...
*checks*
Oh god... why is it all RGB?
Opera got bought. Opera also decided to switch their back-end rendering engine over to Chromium. These two things may be related.
I was helping one of the crafty ladies get some nasty extensions off her browser that popped up adds over websites she was visiting.
She was using Opera. It took me a full 5 minutes just to figure out what browser it was. My brain just seized up.
Some forms of malware actually download/install Opera (and/or the base Chromium) on the client's machine just so the software can dress it up and try to pass it off as Chrome (and because that way they install their preferred attack path) and hopefully the client won't notice. Because most clients won't.

--Patrick
 
Some forms of malware actually download/install Opera (and/or the base Chromium) on the client's machine just so the software can dress it up and try to pass it off as Chrome (and because that way they install their preferred attack path) and hopefully the client won't notice. Because most clients won't.

--Patrick
That wasn't the case here...she just preferred Opera.
 
That wasn't the case here...she just preferred Opera.
I used to, too. Until they caved and switched to Chromium. Not so much because I hate Chromium, but because I don't want to have duplicate rendering engines. If I flip from BrowserA to BrowserB because of some website error or security concern with BrowserA, I don't want BroswerB to do the exact same thing because it's essentially the same browser but with different branding.

--Patrick
 

GasBandit

Staff member
Look, I know it's a pain in the ass because I'm doing it myself right now... but... it's time to ditch lastpass and change all your passwords.


TLDR - the latest (second this year) breach in August was way worse than initially reported, encrypted contents of entire vaults are now in enemy hands, and they can now brute force your master password at their leisure, and they have unencrypted URLs and Usernames for all your vaulted logins, so they can start trying to crack those as well (assuming they don't just get the password from your vault when they crack your master password)

I've moved to BitWarden and am in the process of changing alllll my passwords. At least those that point to anything I care about, like ones that directly involve finances or go to websites with stored payment methods.
 
Look, I know it's a pain in the ass because I'm doing it myself right now... but... it's time to ditch lastpass and change all your passwords.


TLDR - the latest (second this year) breach in August was way worse than initially reported, encrypted contents of entire vaults are now in enemy hands, and they can now brute force your master password at their leisure, and they have unencrypted URLs and Usernames for all your vaulted logins, so they can start trying to crack those as well (assuming they don't just get the password from your vault when they crack your master password)

I've moved to BitWarden and am in the process of changing alllll my passwords. At least those that point to anything I care about, like ones that directly involve finances or go to websites with stored payment methods.
About a month ago, my company was recommending password managers, and LastPass was on the approved list. I spoke up in a zoom meeting of like 130 people and pointed out this very breach as a reason why I'll never use a password manager where your passwords are stored in the cloud in a central repository with a million other people's passwords. That's a mighty tempting target, yo.
 
I've never used a password manager, mostly due to laziness, but also because I thought there had to be something I was missing about them. Surely storing all your passwords in one centralized cloud service or database would create a single point of vulnerability? What was I missing? Why do so many people use them?

So anyway, for decades now my strategy has been "remember only the password to my email account, and for everything else, if I don't remember the password then just go through their 'forgot my password' procedures". I've reset so many passwords over the years.
 
I've never used a password manager, mostly due to laziness, but also because I thought there had to be something I was missing about them. Surely storing all your passwords in one centralized cloud service or database would create a single point of vulnerability? What was I missing? Why do so many people use them?

So anyway, for decades now my strategy has been "remember only the password to my email account, and for everything else, if I don't remember the password then just go through their 'forgot my password' procedures". I've reset so many passwords over the years.
I'm using an older version of 1password that does not store my passwords in the cloud. It stores the file 'locally'. In this case, 'locally' can also mean a cloud drive of some type: Google drive, Microsoft Drive, Dropbox, Mega, etc. Sure, my file is still in the cloud, but it's more of an obscure target than all of the millions of passwords sitting over there at LastPass (or the newer version of 1password). I imagine someone would have to target me specifically before I was vulnerable. And that file is still encrypted. But being on one of my own bought and paid for cloud services means I can access it with my phone, laptop, or other devices at need. And if you don't need that functionality? Keep the file local and don't worry about a cloud breach anywhere.

Keypass is another, open source, password manager that stores your encrypted file locally, and not in their own cloud.

I like password managers, because, like most people, my passwords were not too difficult, and shared across sites. I ended up being exposed in a breach ( https://haveibeenpwned.com/ ) which then saw many of my other sites I used start falling. In less than a day, I had a password manager, and all of the sites where I had accounts had unique 16-digit passwords (where allowed..I still don't get sites that only let you use 8 or 12) with case scrambling, numbers, and symbols. Too much for me to remember, naturally, and a pain to type in, but that's where the password manager shines.
 
Last edited:

GasBandit

Staff member
I'm using an older version of 1password that does not store my passwords in the cloud. It stores the file 'locally'. In this case, 'locally' can also mean a cloud drive of some type: Google drive, Microsoft Drive, Dropbox, Mega, etc. Sure, my file is still in the cloud, but it's more of an obscure target than all of the millions of passwords sitting over there at LastPass (or the newer version of 1password). I imagine someone would have to target me specifically before I was vulnerable. And that file is still encrypted. But being on one of my own bought and paid for cloud services means I can access it with my phone, laptop, or other devices at need. And if you don't need that functionality? Keep the file local and don't worry about a cloud breach anywhere.

Keypass is another, open source, password manager that stores your encrypted file locally, and not in their own cloud.

I like password managers, because, like most people, my passwords were not too difficult, and shared across sites. I ended up being exposed in a breach ( https://haveibeenpwned.com/ ) which then saw many of my other sites I used start falling. In less than I day, I had a password manager, and all of the sites where I had accounts had unique 16-digit passwords (were allowed..I still don't get sites that only let you use 8 or 12) with case scrambling, numbers, and symbols. Too much for me to remember, naturally, and a pain to type in, but that's where the password manager shines.
Same story as me, mostly. I got pwned in a breach and decided I needed to have unique passwords on every site. But that's 200 sites. So I used lastpass to keep track of them.

To lastpass's credit, the stolen data IS encrypted. But the problem is, with a local copy of that data, they can then try to brute force crack it without running afoul of things like IP blocking safeguards. Bitwarden's a bit better because it's open source and professionally audited, has a bug bounty program, etc etc etc. And unlike Lastpass, "employee accounts" don't have access to your encrypted vault data (which is why Lastpass is now in the shit).
 
Eh. For some specific sites I have a completely unique password; for some where I think, I'll use this once and never again I just let Google choose a hard PW for me and when I do need it again I just do the Bhamv. For most sites I use the same base pasword and add a bit specific to the site name.
Yes, a human being can probably guess 90% of my passwords if I tell them my Halforums password is "567dfg!HalF" and my facebook pasword is "567dfg!FacE"....but if a human is specifically targetting me, I assume they'll get in one way or another. It's enoguh to keep me from giving access to everything if they breach the DB for one site and just auto-fill that PW across a gazillion sites.
 
KeepassXC for me. For around 10 years actually. Originally just Keepass normal, but it's "not really" open source.

As others have said, you control where the encrypted archive lives. Or doesn't. But just "remembering" is not a real solution. And having everything subject to your email provider makes you SUPER screwed if that goes wrong.

And, correct horse battery staple.
 

GasBandit

Staff member

Dina Srinivasan, a Yale University fellow and adtech expert, said the lawsuit is “huge” because it aligns the entire nation — state and federal governments — in a bipartisan legal offensive against Google.

This is the latest legal action taken against Google by either the Justice Department or local state governments. In October 2020, for instance, the Trump administration and eleven state attorneys general sued Google for violating antitrust laws, alleging anticompetitive practices in the search and search advertising markets.

The lawsuit in essence aligns the Biden administration and new states with the 35 states and District of Colombia that sued Google in December 2020 over the exact same issues.

The states taking part in the suit include California, Virginia, Connecticut, Colorado, New Jersey, New York, Rhode Island and Tennessee.
 
I don't know enough about Cory Doctorow to say if he's worth listening to, but this, at least, is right on the money. Of course, it's also fairly obvious, no? I can name a dozen more platforms where the same process either has happened, is happening, or will probably start soon.
 
I really enjoyed Down and Out in The Magic Kingdom. The story really captured how messy and difficult working in a group of fan / volunteers can be.

The book can be downloaded for from from his website.
 
Top